The federal government will seek to pass legislation that makes companies much more culpable in the event of a customer data breach.
Under the proposed changes, companies involved in serious or repeated violations could face fines of up to $50 million — up from the current cap of $2.2 million.
Penalties can also be in the form of 30 percent of the company’s adjusted turnover for the relevant period or three times the value of any benefit obtained through the misuse of the information.
Attorney-General Mark Dreyfuss said recent major data breaches at companies including Optus and Medibank showed current measures were inadequate.
“It is not enough that the penalty for a serious data breach is seen as the cost of doing business,” Mr. Dreyfuss said in a press statement.
“When Australians are asked to hand over their personal data, they have a right to expect that it will be protected.”
Legislation to increase the maximum penalties that can be imposed under the Privacy Act 1988 will be introduced into Parliament next week.
The proposed changes would not be retrospective, meaning they could only apply to future violations.
The bill would also give the government body, the Australian Information Commissioner, greater powers to collect and share information to address privacy breaches.
The Attorney-General’s Department’s review of the Privacy Act is expected to be completed this year and will lead to further recommendations to better protect Australians’ information.
“I look forward to the support of this bill across Parliament, which is an important part of the Government’s agenda to ensure Australia’s privacy system can meet the new challenges of the digital age,” Mr Dreyfuss said.